The real problem with ransomware

Ransomware – a specialized form of malware that encrypts files and renders them inaccessible until the victim pays a ransom – is an extremely serious problem and it’s quickly getting worse. The FBI estimated that ransomware payments were $1 billion in 2016, up from “just” $24 million a year earlier. 2017 will likely see another dramatic increase in extortion payments with tens of thousands of ransomware victims paying several hundred dollars each to recover their encrypted files. In some instances, the ransom is larger, such as South Korean web hosting company Nayana, which paid 397.6 Bitcoin (about $1 million) in June 2017 and Hollywood Presbyterian Medical Center, which paid $17,000 in Bitcoin in February 2016.

Despite the significant payments to the cybercriminals behind ransomware, Osterman Research found that most ransomware victims don’t pay the sums that cybercriminals attempt to extort from them. For example, in a six-country survey of 1,054 small to medium-sized businesses conducted in June 2017 for Malwarebytes by Osterman Research, we found that only 28 percent of ransomware victims actually paid the ransom demands.

Since most organizations choose not to pay the ransom, the primary challenge stemming from a ransomware attack is not actually the ransom. Instead, Osterman Research discovered that the largest cost of ransomware is the downtime that results when endpoints become infected and the files they contain are no longer accessible. We found that the average amount of downtime that results from a ransomware infection is 21.4 hours, meaning that potentially critical files and systems are unavailable to an organization for nearly a day (or much longer in some cases). For example:

Desktop or laptop PCs infected with ransomware prevent users from accessing corporate email or databases, meaning users may not be able to communicate with key clients or respond to inquiries in a timely manner. At a minimum, employee productivity can be seriously impacted by ransomware-induced downtime. For example, on June 27, 2017, Washington, D.C.-based law firm DLA Piper instructed its employees not to turn on their computers and to remove all laptops from their docking stations and FedEx employees received a text message in May 2017 to turn off their computers as a precaution against a fast-moving ransomware attack.

Servers or other endpoints involved in processing retail transactions that are infected with ransomware can no longer do so, resulting in delayed or lost sales. One example is the KimcilWare ransomware that targets the Magento eCommerce platform.

Hospitals whose systems become inaccessible for hours or days because of ransomware can see lives put at risk, such as NHS patients whose cancer treatments were delayed as a result of a May 2017 attack.

Manufacturing operations can be temporarily shut down due to a ransomware attack, as were Renault factories in France and Slovenia in May 2017.

In short, while ransomware payments will likely cost businesses several billion dollars in 2017, the cost of downtime will be much higher.

To understand the full impact of downtime from an attack, Osterman Research has developed a cost calculator that aims to quantify the cost of downtime resulting from a ransomware attack. Using data from the June 2017 survey mentioned above, as well as secondary data, we made the following assumptions for an organization of 500 users that suffer just two downtime incidents per year:

Mean employee hourly wage: $28.00

Employee productivity loss during downtime: 50 percent

Corporate revenue generation per hour: $24,000

21 hours of downtime until full recovery

Impacts of ransomware:

50 percent chance of employees suffering productivity loss

30 percent chance that the business will shut down temporarily

20 percent chance of corporate revenue loss

Based on these assumptions, we found that for a 500-employee business, the total annual impact of downtime resulting from just two ransomware infections will be $219,634, or $220 per employee. That means that just two ransomware attacks per year are costing organizations the equivalent of nearly one day’s productivity per employee, not to mention the hard-to-quantify impacts of lost future revenue, damage to corporate reputation, missed deadlines, etc.

What this also means is that if a company could deploy a technology that would prevent just one of these ransomware infections each year, and if the total cost of that solution was $50 per user per year, the organization would save $170 per user per year in downtime costs or nearly $110,000 per year.

In short, the primary impact of downtime for your company is not the ransom that is being demanded of you, but instead, the real cost of ransomware is the downtime it will cause – a cost that is much greater than the ransom that will be demanded.

Michael Osterman is the principal of Osterman Research, Inc., founded in 2001. Since that time, the company has become one of the leading analyst firms in the messaging and collaboration space, providing research, analysis, white papers and other services to companies like Hewlett Packard, IBM, Google, EMC, Symantec, Proofpoint, Dell and many others.

July 14, 2017 - Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family.

January 31, 2017 - The developers of Locky Bart already had very successful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being infected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and understanding of this new version.

December 8, 2016 - Announcing the launch of our next-generation online security product, Malwarebytes 3.0! This product is built to provide comprehensive protection against today’s sophisticated threats so that you can finally replace your traditional antivirus software.